Files
govoplan-core/docs/DEPENDENCY_AUDITS.md
Albrecht Degering 635d25c74c
Some checks failed
Dependency Audit / dependency-audit (push) Has been cancelled
Module Matrix / module-matrix (push) Has been cancelled
chore: consolidate platform split checks
2026-07-10 12:51:19 +02:00

2.1 KiB

Dependency Audits

GovOPlaN keeps dependency vulnerability checks reproducible but separate from the fast local smoke suite, because both Python and npm audits need network metadata and can fail for newly disclosed advisories without a source change.

Local Workflow

Install the development audit dependency once:

cd /mnt/DATA/git/govoplan-core
./.venv/bin/python -m pip install -r requirements-dev.txt

Run both backend and WebUI production audits:

cd /mnt/DATA/git/govoplan-core
bash scripts/check-dependency-audits.sh

The script runs:

  • scripts/check-dependency-hygiene.sh for pip resolver consistency, stale legacy editable package metadata, deprecated framework constants, and the Starlette TestClient deprecation smoke when test dependencies are present
  • python -m pip_audit --progress-spinner off
  • npm audit --omit=dev in webui

For fast local checks without vulnerability metadata lookups, run:

cd /mnt/DATA/git/govoplan-core
CHECK_TESTCLIENT_DEPRECATIONS=1 bash scripts/check-dependency-hygiene.sh

This is also part of scripts/check-focused.sh, so resolver drift and deprecation regressions fail close to the code change that introduced them.

Override tool paths when testing from a disposable environment:

PYTHON=/tmp/govoplan-audit/bin/python \
NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \
bash scripts/check-dependency-audits.sh

CI Workflow

.gitea/workflows/dependency-audit.yml installs release dependencies from tagged package refs, installs pip-audit, and runs the same script on pushes, pull requests, and a weekly schedule.

The workflow intentionally uses release dependency refs instead of local file: or editable sibling paths. Development lockfiles may keep local module links, but release audit results should represent the installable product.

Recording Results

When closing or triaging dependency-audit issues, add a short dated note under docs/audits/. Record:

  • the commands that were run
  • whether Python and npm passed
  • any advisories accepted as temporary risk
  • follow-up issue links for required upgrades